What are the CMMC Requirements?

The requirements for CMMC certification will depend upon the level of certification needed. Each level contributes to the requirements, starting with the levels below it. Throughout the three CMMC levels, the certification requirements consist of:

• 43 capabilities covering 17 capability domains
• Five procedures to determine process advancement
• 171 practices to assess technical capability

Here's a breakdown of the essential CMMC requirements:

• Tiered Levels: CMMC has three levels (1-3) with increasing cybersecurity maturity. Level 1 requires basic cyber hygiene practices, Level 2 involves implementing specific security controls, and Level 3 (under development) focuses on advanced practices.
• NIST Standards: CMMC aligns with the National Institute of Standards and Technology (NIST) cybersecurity standards, particularly NIST SP 800-171. Level 2 requires implementing all 110 controls in this standard.
• Assessment Process: DoD-approved independent assessors conduct CMMC assessments to verify that a company's cybersecurity practices meet the required level.
• Focus on Information Protection: CMMC aims to safeguard CUI and Federal Contract Information (FCI) entrusted to DIB contractors.

CMMC is currently in a phased rollout, with mandatory compliance expected to begin around 2026 for most DoD contracts.

The requirements an organization must meet will rely on the level of certification. The requirements are divided into practices and procedures. To comply with each certification level, a service provider should achieve the requirements for all the rules and procedures related to the level throughout many functionalities.

See Also

• What is NIST 800-171? 

Return to Cybersecurity Frameworks and Standards Glossary